[Snort-users] Overriding alert rules with pass rules for specific cases

Joel Esler (jesler) jesler at ...589...
Fri May 9 08:39:52 EDT 2014

On May 9, 2014, at 12:10 AM, Kimi Ushida <kimi at ...15501...<mailto:kimi at ...391...5501...>> wrote:

I have a question about writing a rule which in specific cases will pass
(not alert/drop) traffic where a VRT rule will otherwise alert on.  I'd
like to leave the original VRT rule enabled as-is (for example, SID
25975, revision 2) since it's generally reliable.

However, this falses in cases where we have a vuln scanner that we'd
like to pass through without dropping, but this scanner's source IP may
be obfuscated (such as through NAT, etc.) and from the perspective of
the sensor could potentially share this same source IP with actual
malicious sources.  Therefore using BPF wouldn't work since I have no
way of distinguishing in the IP header between good and evil clients.

I figured this is simply writing an equivalent pass rule keeping all of
the original rule options in place, but have an additional content match
which singles out the legitimate traffic we want to pass (for my case,
the legit vuln scanner traffic will be seen with a unique content string
which I can flag against).  However, I'm apparently not doing something
right and I'm guessing this is attributed to the "fast_pattern:only;"
part in the original VRT rule.  Perhaps I need a refresher on the
fast-pattern matching system to understand where I'm going wrong.

Sounds like what you want to do a suppression.  Perhaps only for the time when the vuln scanner is running?

Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140509/da825e39/attachment.html>

More information about the Snort-users mailing list